Guest Network on ER7206

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Guest Network on ER7206

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Guest Network on ER7206
Guest Network on ER7206
2022-06-03 14:23:42
Model: ER7206 (TL-ER7206)  
Hardware Version: V1
Firmware Version: 1.2.0

Hello TP-Link Community.

We have a TL-ER7206. And we want to configure some kind of guestnetwork. Where the clients can't communicate with each other and they should not be able to access the webinterfaces of the network components (Router, Accesspoints)

 

We created to 2 VLANs. (VLAN1 => 192.168.0.0/24 called "LAN"; VLAN2 => 10.0.0.0/23 called "guest")

We also created IP groups for the 2 VLANs and one for the network components (10.0.0.1 - 10.0.0.10)

 

No matter want we setup in "Firewall/Access Controll", we can't stop the clients in the guest VLAN to reach each other and they always have access to the webinterfaces.

 

Here are some screenshots of the configuration. 

I would be very nice if some one can help us.

 

  0      
  0      
#1
Options
7 Reply
Re:Guest Network on ER7206
2022-06-08 01:56:20

  @Baseng 

you cannot stop a client from accessing the gateway web ui. but i remember that ap can set up the so-called 'access control' where you block device from accessing the web ui. only admin can do that.

brought up before by someone. i remember. 

i don't know what to say. if you cannot access the gateway ip. how would it be posssible to access the internet? gateway is accessible, that somehow explains this issue you see. from the perspective of the networking, gateway should be accessible by ping. just block the network web ui. maybe you do something like acl to block visit gateway ip by http or https for your guest network?? a workaround? 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#2
Options
Re:Guest Network on ER7206
2022-06-09 14:24:22

  @Tedd404 

We didn't want block the hole access of the gateway IP, we only tried to block Port 80/443 for the gateway IP and for other devices in the ACL. But this doesn't work. everybody can see the web UI.

  0  
  0  
#3
Options
Re:Guest Network on ER7206
2022-06-10 03:05:34

  @Baseng 

OK. I just did a simple test by creating the ip-port acl. blocking port 80 and 443, because the gateway is still using both for access.

default lan 10.0.0.1/24

create a vlan for test 172.168.1.1/24 and i set up the acl and i can block the access from client to the gateway web ui and i can still get internet. 

>switch acl > type ip-port > src any network; dst ip-port group of following entry:

ip-port group=172.168.1.1/32 port 80 port 443. nothing else need to be configured. 

ok. it works immediately. i cannot telnet into 172.168.1.1 80 or 443 anymore. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#4
Options
Re:Guest Network on ER7206
2022-06-13 15:41:41

  @Tedd404 

 

Thanks for your help! But can you post an screenshot of that config?

We can't follow your description.

  0  
  0  
#5
Options
Re:Guest Network on ER7206
2022-06-14 19:36:45 - last edited 2022-06-14 19:41:00

  @Baseng 

Baseng wrote

  @Tedd404 

 

Thanks for your help! But can you post an screenshot of that config?

We can't follow your description.

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#6
Options
Re:Guest Network on ER7206
2022-06-15 07:46:45

  @Tedd404 

 

ok, i see. No I know why this works for you. We don't have that options. We only can great IP groups without the Ports. 

We are using the ER7206 in standalone mode.

 

This is the IP Group creation mask.

We created an IP Group for the Router/Gateway, called "IPGROUP_Router"

 

 

And here we tried to block the HTTP Port.

 

 

  0  
  0  
#7
Options
Re:Guest Network on ER7206
2022-06-18 11:01:41

  @Baseng 

yep. same thing. http 80 https 443, so two rules should make the same thing. 

you can also use the ip/subnet. 32 refers to a single ip address which means it's one and only. so, you can use 10.0.0.1/32 as well. anyway it works the same way, just blocking 80 and 443 so that nobody can access the gateway web ui but still can get internet. 

ScReW yOu gUyS. I aM GOinG hoMe. —————————————————————— For heaven's sake, can you write and describe your issue based on plain fact, common logic and a methodologic approach? Appreciate it.
  0  
  0  
#8
Options